I want to keep antivirus software from affecting performance on a TFS installation -- what should be excluded from antivirus scanning? IIS? MSSQL? Am I opening myself up for possible attacks by excluding these? I've seen some recommendations that say antivirus software can interfere with the ability of MSSQL Server to open its database files.

Also it is worth noting that Antivirus software can cause performance issues down at the TFS client for similar reasons that it does on the server. When a file is downloaded, behind the scenes the file is first placed into a temporary directory and is then moved from the temp directory into the real location.

You can diagnose if Anti-virus is affecting the performance in this way by temporarily disabling it, performing a large Get operation and then comparing the time taken to download the files with the time taken when the AV is enabled.

One way to tell for sure would be to use SysInternal's ProcMon to capture all of the file IO that happens on a regular basis.

Start ProcMon up and let it capture for a while. By default it stores the capture in the swap file and records more than just drive IO. So if you are going to capture for too long, you will want change the backing file and only capture drive access. After stopping the capture, click on Tools then File Summary. This will give you a list of files that were accessed, sorted by most to least accessed.

I used to see problems with some anti-virus programs when scanning ASP.NET web sites. They could lock files that needed to be writable, especially in the case of files that are built and/or compiled on the fly.

I have had concerns about anti-virus "touching" files that cause an ASP.NET application to restart - anything in the bin folder, web.config, etc. I do not have specific cases beyond "concern", however.